You’re a government official that finds yourself reading in the news about various government agencies that have been hacked leading to data being compromised and misused for profit or negative leverage. You begin to question if the online election data you’re responsible for is secure, enough.
You Have Threats on the Inside
A malicious insider is a threat to an organization that comes from people within the organization, such as employees, former employees, contractors or business associates, who have inside information concerning the organization's security practices, data and computer systems . This could be the office administrative assistant, the helpdesk operator, the volunteer at the local polling station or the delivery person that overlooks what you’re doing when dropping off supplies each week. Regardless, you must be aware that there are many different types of people on the inside that could have malicious intent and attempt to modify information in an effort to negatively influence an election.
Take for example what has happened in New York City. The NYC Board of Elections has suspended several officials amid allegations that at least 120,000 names were purged from voter rolls in Brooklyn ahead of the presidential primaries earlier this year. It then becomes obvious to you that you must not only protect data from malicious outsiders, but also from malicious insiders wanting to influence the upcoming presidential election to match their ideals.
What should be done?
Government agencies must protect all online election data. This starts with proper information security controls and segregating roles and responsibilities for employees, volunteers and contractors.
- Encryption: All information, at rest and in transit, must be encrypted to prevent from being compromised or accessed by unauthorized personell.
- Management: Employees should not have access to edit bulk database. However, it would be appropriate to permit an employee to edit a single entry in a database as long as there is appropriate logging that correlates to an employee ID that is making a change. This will prevent mass malicious changes to a database and many records from being lost or manipulated.
- System and data governance: This must be set in place to detect; who, what, where, when.
- Data Backup: Data must be backed up in the event of lost data and information needs to be restored.
- Data Protection: Information must be protected with identity and access management controls.
- Usernames and Passwords: Secure logins and passwords must be kept private and never shared.
- Accessibility: Credentials and access to systems must be deleted immediately for former employees, volunteers and contractors. Credentials to systems & data must only be provided on a need to know basis as part of job duties.
- Audits: On a regular basis, audits of data and systems must be performed by independent 3rd party.
- System Adjustments: Mass information or system changes must require a peer review and signoff prior to the functions being performed.
- Behaviour Detection: System parameters should be set to recognize and notify obscure behavior.
The recommendations outlined above are just some of the most critical security controls that must be in place to protect information and systems. They need to be taken very seriously or it will be quite easy for a malicious insider to manipulate information.
Act Now or Risk Serious Consequences
Protecting online voter information and election outcomes are critical to the continual operation and security of our country. With nearly 22 million federal, state and local government employees in the US as of 2015 , not having segregation of duties and poor information security practices in place could lead to devastating outcomes at any level of government. If you think you know everyone – employees, volunteers or contractors - in your local government board of elections office, you better think again. Protect the information you are responsible for and don’t be the government office that’s all over the news this fall because you didn’t.